It has been a while since I have entered anything on my blog. But a few days ago I came across a very interesting situation that is not common since it is counter intuitive. It has to do with the way the Cisco ASA treats NAT in a very particular situation.

An ASA was configured to have split tunneling disabled for clients using the Any Connect Cisco client. The ASA we are using have several IPSEC tunnels to remote sites. As soon as the clients connected they did not have access to either the Internet or the remote sites. They can access the Internal LAN though.

The reason of course as you may have guessed it has to do with how to configure NAT.

of course the developers have not fixed it and sarcastically pointed out that the interface needs to go do down in order for hostpad to enable the features needed for an access point.

But hello it does not clobber IPV4 so I am sorry they are too lazy to fix it. There is a workaround as always, after you start hostapd just add the IPV6 address to your wireless interface. This can be done automatically at rc.local when you boot the machine.

You can run the router virtually. I use VirtualBox of course you need a machine to run VirtualBox with enough resources to run VMs.

But the router does not need that much overhead, if you do not install X then you can get away with 256 MB of memory for the VM.

The you start the VM headless:

“/usr/bin/VBoxManage startvm “VMName” –type headless”.

And remember to allow the USB wireless to be recognized by the host and VM. Then you need to “ifconfig wlan0 down” on the host.

So the setup is fairly general that it you want to use it so the Ubuntu box also acts as your Internet router it can be done. In this case you will need three interfaces, ETH0 to the web, ETH1 to your LAN and WLAN0 for wireless.

The setup should be straight forward but you now need a good IPTABLES configuration since you need to forward packets between the three interfaces.

In a previous post I did show how to use an Ad-Hoc network using IPTables masquerading to allow Wi-Fi clients to connect.

The main reason was that I already have a dual stack with FC running that connects me to my cable provider.

On the other hand I use a cheap wireless router when I need Wi-Fi connectivity to my smart-phone or my laptop but my Wi-Fi router does not support IPV6 so the setup worked as a charm.

The setup has a drawback. On my wireless router I used MAC filtering, while a determine hacker could in principle get in anyway, in most cases MAC filtering provides sufficient security, only those clients with MAC addresses you allow can get an address and connect.

In addition the Ad-Hoc network was unreliable so I decided to make the FC server a hotspot and use DNSMASQ for DHCPV6. It works great.

Now that I have a dual stack working with IPV6 I decided to test wireless and IPV6.

That posed a problem since the wireless router I use does not support IPV6 and it cannot be upgraded but that would not have helped me since I receive a /64 and you cannot create several networks out of it, let’s say /65, since stateless configuration will break and you need separate networks to route properly.